Very concerned I have a LoJax style UEFI Boot/Rootkit Issue

[jpmad4it]

Hi all,

 

I have been fighting for the last 2 weeks trying to get around a major security issue I have.

 

It started when my Windows 10 install seemed to become corrupted. After that things got worse and worse.

 

My main PC wouldn't boot, and the windows recovery couldn't help at all (mainly because I have found out its a fake version of the recovery enviroment provided by the virus / bootkit / rootkit), and it just destroyed my installation further.

 

My main machine no-longer recognises my main boot HDD.  I cannot boot into windows 10.

 

It seems that the bootkit takes control even before entering the BIOS. I have flashed the Dual BIOS 3 times to no avail.

 

Trying to boot up rescue CD's is useless as the main HDD isn't recognised, and even if they do boot up they are in Linux mode (seems to be controlled by the bootkit). Although..... I did manage to hotplug my HDD half way through booting Bitdefender's rescue CD and it somehow recognised it - I ran a scan and it found trojans and removed them - but the virus definitions are out of date as I cannot get online to update them.

 

The virus seems to control every single element of the machine as soon as I press the power on switch.

 

I looked in the BIOS tools on Hiren's boot cd (I can only seem to get boot Cd's to load when using legacy mode and not UEFI mode - probably so that I cannot see the HDD and try to clean them using these tools) and it mentioned a plug and play BIOS being in use.

 

Everything is locked down if I boot using the Linux tool Parted Magic (I think?) from Hiren's CD - root is controlling everything. I have tried to change permissions but no-matter what I try root is king.

 

I've tried running virus scans in linux but most of the files are protected by root and cannot be scanned.

 

If I boot into mini windows XP the dreaded X: drive appears. It seems that rescue CD's are somewhat being controlled by this virus too.

 

I have no internet - I'm using a close family member's PC to write this.

 

It looks like a whole set of drivers and virtualised networks have been setup - intel bridge adapters and NIC's i've never seen have been setup. Mac address 00:00:00:00:00:00 is the main culprit and the host files have a redirect from 127.0.0.1 to localhost as a loopback. In Linix the connected IP list shows 0.0.0.0 listening to a shed load of ports (869,39726,6000,22,23,47064). Mask 255.0.0.0 and broadcast address 0.0.0.0

 

127.0.0.1 has these ports open - 7 echo, 13 daytime, 22 ssh, 23 telnet, 37 time, 111 rcpbind, 6000 x11.

 

The routing table in my sky router shows:

 

destination                                                          mask                     gateway

0.0.0.0                                                                  0.0.0.0                  46.xxxxxxx.1

10.xxxxx                                                              255.255.255.0     0.0.0.0

10.xxxxx                                                              255.255.255.0     0.0.0.0

46.xxxxx.0                                                           255.255.255.0     0.0.0.0

(same ip as gateway above but 0 on end)    

192.168.0.0                                                         255.255.255.0     0.0.0.0

224.xxxxxxx                                                        224.xxxxxxxxx     0.0.0.0

 

My router IP is 192.168.0.1

 

Everything is locked down and I have very little control.

 

It has spread to two Windows 10 laptops doing the exact same thing. And worryingly the 127.0.0.1 IP address is showing on my iphone as a discoverable network - it's been acting very strange and I'm worried it may have a jailbroken iOS installed on it via this whole virus hell which is within our home network. My iphone has these ports open after scanning localhost with Fing 1080 socks, 1083 anasoft licence manager, 8021 ftp-proxy.

 

PLEASE PLEASE can someone help. I have no idea what to do from here. Is it time for a new motherboard? Can this virus exist in the firmware of other PCI devices too? I'm so lost I have no idea what to do.

 

I will provide anything you need (providing I can actually get it due to the whole system lockdown!)

 

Many thanks in advance for anyone who can try and help me.

 

J

[jpmad4it]

EDIT - The owner of all files is also LSASETUPDOMAIN ADMIN under windows xp mini, and I noticed before my windows 10 install died that a load of registry entries had been setup for new users {S0-xxxxxxx etc.

[kevinf80]

Hello jpmad4it and welcome to Malwarebytes,

Do you have access to another PC and a usb stick 4gb or above, if so do the following:

Please download Farbar Recovery Scan Tool from here: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ save it to a USB flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. Plug the flash drive into the infected PC. If you are using Windows 8 or 10 consult How to use the Windows 8 or 10 System Recovery Environment Command Prompt Here: http://www.howtogeek.com/126016/three-ways-to-access-the-windows-8-boot-options-menu/ to enter System Recovery Command prompt. If you are using Vista or Windows 7 enter System Recovery Options. Plug the flashdrive into the infected PC. Enter System Recovery Options I give two methods, use whichever is convenient for you. To enter System Recovery Options from the Advanced Boot Options: Restart the computer. As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears. Use the arrow keys to select the Repair your computer menu item. Select Your Country as the keyboard language settings, and then click Next. Select the operating system you want to repair, and then click Next. Select your user account an click Next. To enter System Recovery Options by using Windows installation disc: Insert the installation disc. Restart your computer. If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings. Click Repair your computer. Select Your Country as the keyboard language settings, and then click Next. Select the operating system you want to repair, and then click Next. Select your user account and click Next. On the System Recovery Options menu you may get the following options: Startup Repair System Restore Windows Complete PC Restore Windows Memory Diagnostic Tool Command Prompt   Select Command Prompt In the command window type in notepad and press Enter. The notepad opens. Under File menu select Open. Select "Computer" and find your flash drive letter and close the notepad. In the command window type e:\frst64 or e:\frst depending on your version. Press Enter Note: Replace letter e with the drive letter of your flash drive. The tool will start to run. When the tool opens click Yes to disclaimer. Press Scan button. It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply. Thank you, Kevin

 

[jpmad4it]

2 hours ago, kevinf80 said:

Hello jpmad4it and welcome to Malwarebytes,

Do you have access to another PC and a usb stick 4gb or above, if so do the following:

Please download Farbar Recovery Scan Tool from here: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ save it to a USB flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. Plug the flash drive into the infected PC. If you are using Windows 8 or 10 consult How to use the Windows 8 or 10 System Recovery Environment Command Prompt Here: http://www.howtogeek.com/126016/three-ways-to-access-the-windows-8-boot-options-menu/ to enter System Recovery Command prompt. If you are using Vista or Windows 7 enter System Recovery Options. Plug the flashdrive into the infected PC. Enter System Recovery Options I give two methods, use whichever is convenient for you. To enter System Recovery Options from the Advanced Boot Options: Restart the computer. As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears. Use the arrow keys to select the Repair your computer menu item. Select Your Country as the keyboard language settings, and then click Next. Select the operating system you want to repair, and then click Next. Select your user account an click Next. To enter System Recovery Options by using Windows installation disc: Insert the installation disc. Restart your computer. If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings. Click Repair your computer. Select Your Country as the keyboard language settings, and then click Next. Select the operating system you want to repair, and then click Next. Select your user account and click Next. On the System Recovery Options menu you may get the following options: Startup Repair System Restore Windows Complete PC Restore Windows Memory Diagnostic Tool Command Prompt   Select Command Prompt In the command window type in notepad and press Enter. The notepad opens. Under File menu select Open. Select "Computer" and find your flash drive letter and close the notepad. In the command window type e:\frst64 or e:\frst depending on your version. Press Enter Note: Replace letter e with the drive letter of your flash drive. The tool will start to run. When the tool opens click Yes to disclaimer. Press Scan button. It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply. Thank you, Kevin

 

Hello Kevin,

Thanks so much for replying so quickly.I have attached 3 scans from my Desktop machine, and two laptop machines.

All were running windows 10. The two laptops I have managed to clear the hard drives (I think) but the virus still seems to be controlling the machine from the BIOS. I dont know if the scans will tell you anything useful (named FRST15.txt and FRST17.txt)

The desktop scan is FRST.txt - I hoped that the HDD hasnt been wiped but it seems it has and its saying i need to format the drive to use it - i was hoping to save the data on ths drive.

Sorry if the scans aren't useful, the machines are struggling to access the drives, probably due to MBR corruption im not sure.

Many thanks in advance.

FRST17.txt FRST15.txt FRST.txt

[jpmad4it]

EDIT - i forgot to mention my PC machine has 4 HDD in a RAID array which I cannot setup until I have access to windows. Im worried these HDD's may have viruses on them too as the temp folder for windows was set to use this RAID......and bitdefender did detect a virus in the temp folder before all the hell broke loose.

Not sure how to tackle that issue......the last thing we want is to get windows up and running, setup the RAID and have it infect the whole system again :-(

[kevinf80]

Hello jpmad4it,

You will note from the three logs the same result was returned:

ATTENTION: Could not load system hive.
ATTENTION: System hive is missing.

That reult is not what we want to see, I am hoping the OS drives are all encrypted. Is that the case..?

Thanks,

Kevin.

[jpmad4it]

Hi Kevin

The drives have probably been formatted during my aim to get rid of the virus. 

Even though the drives may be fornatted, the virus seems to still exits in the boot up sequence controlling the majority of the operations. Does that make sense?

many thanks

j 

[kevinf80]

mmmm, that log is telling us the full system hive is missing. You will have to reinstall windows to get any further, probably well worth formatting the HD`s before making fresh installs..

I would concentrate on your main PC, boot to the Recovery Environment, from the Choose an Option window select "Troubleshoot" from that window select "Reset this PC" follow the prompts from there, I would go for full reset and save nothing...

Thanks,

Kevin..

[jpmad4it]

Hi kevin thanks again

when I try to install windows it’s saying that the drive isn’t present in the bios (or something along those lines) and asks me to load a driver. 
 

can you think of any way around this - I think the MBR and / or partition tables are totally screwed up?

[kevinf80]

Have got a working PC, you could download Media Creation Tool...

https://www.microsoft.com/en-gb/software-download/windows10

[jpmad4it]

Hi again - I will try this and then what would the next steps be once installed?

[jpmad4it]

PS thanks for bearing with me - ive never experienced a virus like this before.

[kevinf80]

Yes please, let me know what happens..

[jpmad4it]

I will do thank you. Just trying to arrange For someone to download it amidst the lockdown madness. 

[kevinf80]

Do you know anyone with a PC that has the same version of windows as you, it can be used to make a ReCovery Drive. That could be used on your PC to make a repair, refresh or reset of the OS..

[kevinf80]

One other point, USB stick to be used as recovery drive needs to be at least 32gb...

[jpmad4it]

Hi again

bad news. It’s not working. It can’t see the HDD in the recovery console to even wipe it as a fresh install 

I think some MBR work is needed. 

seeing as I can get into command root can I not run a specific root/boot kit virus scanner via command line? Will something like that pick up viruses in the BIOS etc?  I tried TDS killer cmd but it needs a licence lol. Any other suggestions on a decent cmd line scanner ? 

[kevinf80]

Boot to command prompt from Recovery Environment. Continue: Boot to command prompt from Recovery Environment. Continue: Type or copy/paste diskpart in the command prompt. hit Enter. Type or copy/paste list disk hit Enter, which should list all disks connected to your computer. Type or copy/paste select disk X hit Enter. Replace X with the disk number of the hard disk which normally has windows OS Type or copy/paste clean hit Enter. That command will delete all partitions and data from the selected disk. Type or copy/paste convert X: /FS:NTFS hit Enter. Replace X with the disk number of the hard disk which normally has windows OS See if you can install windows now...

[jpmad4it]

not sure if it’s compromised or not as it was burnt on my system before it started showing signs of infection. 

 

ill try to explain in as much detail as I can. It’s very complicated and I’ve been working on it for maybe more than a week straight without sleep. Please bear with me. apologies in advance if I’m mumbling and not making sense networking isn’t my strong point. 
 

It started when My Microsoft account on windows 10 wouldn’t let me remove it from being used to sign into apps

I noticed many apps being installed with regular updates. Games and things I didn’t need etc. Strange apps such as app connector, web client were installed and I couldn’t delete them. They were being installed in a strange location on the Os too. 

Credential manager started showing random entries for Skype, Xbox etc which I deleted but they kept coming back

My plex account was also mentioned for the media server running on my NAS box - this used netbios over tcp/ip and smb- both of which I think are old and very vulnerable. 

I noticed that my windows install started acting weird. Security centre would hang frequently when trying to change important settings. Trying to change settings would take me to Microsoft login in edge with a long and strange looking url. 

My Microsoft account showed unsuccessful sync attempts from China but I changed my password just in case and locked down most of the security settings. I think it was too late even at this point and someone was slowly building up their very clever and patient hacking method. 
 

i even wiped 2 Sony vaio laptops to be sure that they were clean. Looking back this was probably a waste of time. To me, the user, the machine was nice and clean and reset..... but unknown to me at the time it was probably also still under the control of the hacker who instantly takes control once I logged back in under a clean setup by using my compromised Ms account. 

Few months later bitdefender alerts me that it’s blocked an attempt to access a malicious url and the machine is safe. I looked again and all the odd behaviour / settings had been reset. Again I fixed what I thought was the issue, ran all the necessary scans which I thought would be good enough - bitdefender full scan, windows defender period scan, tdskiller, hitman pro, Malwarebytes, super anti spyware, rogue killer etc etc. The usual adware was found and nothing alarming. 

Then on the next boot the machine started hanging badly. It had been placed in a workgroup which I couldn’t take it out of. A virus was found in the temp folder which I had manually moved off my OS disk to a RAID array to reduce read / write to my SSD. I cannot remember for the life of me the name of the virus - _apc or something along those lines? I was told the system had been cleaned successfully but the folder still remained in the temp directory and couldn’t be removed due to permissions.  The network type had changed to public from private. Everything went badly wrong from there. Recovery environment was entered on the next boot and apparently issues with startup were fixed (I now know this was a fake RE partition provided by the malware). I did what I needed to do and then the machine wouldn’t boot from this point on. 

After many days of trying I got a view of the OS disk. The owner of the whole system was under a user called LSASETUPDOMAIN and the files came from a remote computer 

 

i managed to research on my other laptops for info, but they soon suffered the exact same problems as my Microsoft account was being used on those too. 
 

I realised, after much stress and pain, that the hack had been going on for quite a while - a few months maybe, and that some kind of rootkit / bootkit install was the result and in summary:

 

Flashing the Bios had no effect. It looks like it’s a UEFI Rom virus / tailored hack which takes over the whole machine. New hardware and drivers had been installed. Virtual adapters, pci bridges, unknown printer drivers, a plug and play BIOS, new partition and boot setups - the full monty. My disks weren’t recognised - active boot partitions removed and locked down under the new permissions of the system. MBR altered and locked down. Loopback proxy installed on 127.0.0.1 - localhost redirects to it in the hosts file which had been changed. More on that later!!!

 

The BIOS refused to load any useful rescue cd’s in Uefi mode. I had to use legacy mode which worked, but then my disks were not initialised / recognised so I couldn’t do anything to fix them. Also the malware locked down anything Useful I wanted to do from the rescue cd’s. Booting into mini Windows XP’s on hirens boot disc - even this OS was under the control of the malware !! The rogue drivers and hardware were setup under the launch of this environment too. Same applied to any Linux rescue environment I tried. Parted magic was useful though. It showed the loopback 127.0.0.1 was listening on specific ports. X11 was there port 6000. MAC address of adapter 00:00:00:00:00:00. A whole host of SSL certs had been installed to serve rogue content over https leading me into a false sense of security thinking all was fine on the web content I was being served. Not the case. 

Whilst trying desperately to fix one laptop so that I had a clean machine to work from I noticed the 3 iPhones in the household started acting strange and showing strange behaviour. Same with my iPad. I wiped and restored my phone just in case - but the same applied - the phone was great , reset and restored - but already under the control of the hacker and so in hindsight a pointless exercise 

Studying logs shows mentions of Pegasus, backboard, things that look very very bad to me. It looks like the O2 data connection is compromised or being tampered with. The SIM card ? I don’t know I will attach screenshots of the logs.  Private framework installs Are shown. I don’t know if I have got this right but it looks like the phones have been either remotely jailbroken (and then that’s all that’s needed from a hackers point of view-I read checkra1n found a persistent jailbreak in latest iOS 13.4.1 ) or the malware has been installed via a very clever method - compromised an account shared across devices such as Microsoft or google(turns out its the pocket extension) Hack the desktop machine. Hack the corresponding phone device using those accounts. Control web traffic via their own SSL cert installs and local intranet setup within the household. Serve infected apps to the phone to install the malicious content. I stumbled across the acknowledgments content of certain apps and to me it looks like they have installed things that way.....I may be completely wrong I’m not very educated on app development. I will attach screenshots. 

I think a rogue google drive was installed on my pc machine which setup the File browser environment on our iPhones for infection.  Again I may be wrong but the files I have seen stored on my phone seem like they are hard to find / access and cannot be deleted. The iPhones are also showing that they are waiting for devices to connect to them on 127.0.0.1 WebDAV maybe?

 

Back to the laptop - managed to get into acronis rescue cd - clean drive and set new partition. Installed windows again - within 30 mins the system was compromised because the malware in the UEFI still exists. 

On my pc / desktop machine. The only way I have found to boot any kind of rescue disc is using hot plugging. Booted with bitdefender rescue cd. After it’s loaded the drivers etc plug in the sata hdd. Then when it loads the disk was recognised ! Unfortunately the network connection wouldn’t work and so the signatures will be out of date. It did find some trojans. Screenshots attached. 

Sorry my English and grammar are fading badly now .......please bear with me. Sky router - logged in and it’s being smashed constantly with port scans from ip addresses which have been reported previously by others online. Locked it down. Nothing changed. Saved the Config profile and to me it looks compromised- it mentions vlans being setup, and what looks like wireless access points mapped to the hacker - giving them full control of the household via smart TVs, phones, Amazon echo etc etc. 

My Samsung smart tv had the x11 on port 6000 open. Tv downstairs - the voice search history shows command of ‘show me all open ports’ , ‘show all input devices’. None of which we have searched for via voice. The tv also had a port open on it. 

My iPhone has port 1080 socks open. And another ftp proxy port. Will attach screenshots. Sky router had ports open too. 

MyO2 account shows my connected device as my old iPhone. There was also a bolt on on my account for Relay uk service for minutes and texts. Strange things appeared on the forum under my account. I chatted to o2 online.......it wasn’t o2 at all. They even followed up with a text message. They pushed for info from me. When i questioned them and asked that they should be asking me security questions they avoided it completely.  
 

Vpn connections on the iPhone seem compromised. All seem to be routed via the 127.0.0.1 address 

 

I’m not even sure if the sky tv signal has been hacked into. The sky q set top box is broadcasting the SSID which the sky q router is meant to provide ...... but the router is unplugged, completely turned off, no Ethernet cables plugged in etc !!

 

Basically I think the links I shared is similar to what is going on. Man in the middle , Command and control, arp poisoning, dns spoofing, vpn tunnelling etc. 

 

The landline phones are also behaving strangely with lots of drops outs, volume changes, connection problems and background noise. 

 

Please help me !!! 

 

ps the attachments I have are around 2gb - can I pm you with a link to share them with you? They are quite important as they show a lot of detail about certain aspects of the hack. 

Edited May 7, 2020 by AdvancedSetup
corrected font issue

[AdvancedSetup]

Hello @jpmad4it

I'm going to take over for @kevinf80 and try to assist you.

 

Though there are some known BIOS attacks and a single known UEFI attack (it was from a UEFI firmware back in 2008, no one would be using a computer with that old of a firmware today) - A BIOS or UEFI attack is extremely unlikely unless you were possibly a State level target in which case you wouldn't be here looking for help. So, let's rule those out as an issue and look at other things more likely and in the realm of reality.

 

1. Why are you using RAID?
2. Is it Hardware based or Software based?
 

There are reasons to run RAID at home but as I think you're finding out there are also severe drawbacks. RAID can run disk based IO tasks much faster than single drive. It can also recover (if implemented correctly) from a failed or failing drive from the volume thus preventing data loss due to a drive failure.
That is the good part. The bad part is that anytime something breaks that has to do with drive geometry, or firmware, hardware settings it can be extremely difficult to impossible to recover data. Unless you have a high level of experience with setting up and recovering from various issues then using RAID at home would not be something I would not recommend. Keeping your data safely backed up at all times is the key to surviving hardware, software, or other threats to your data.

There are some bootkit, MBR (master boot record) infections, some just rewrite it, some delete it, and some encrypt it. If you were using a single disk (non RAID) you could probably do at least some data recovery as long as there was no physical hardware failure going on. In your case though by using RAID it makes any type of recovery aside from hardware failure much more difficult.

Before we go on to try and fix your system please answer my questions about your setup and use of RAID. In many cases unless this is setup in hardware then booting to a CD/DVD/USB media will not recognize the hard drive as a valid medium to mount and use.

Thank you

 

Edited May 7, 2020 by AdvancedSetup
updated information

[jpmad4it]

On 5/7/2020 at 10:30 AM, AdvancedSetup said:

Hello @jpmad4it

I'm going to take over for @kevinf80 and try to assist you.

 

Though there are some known BIOS attacks and a single known UEFI attack (it was from a UEFI firmware back in 2008, no one would be using a computer with that old of a firmware today) - A BIOS or UEFI attack is extremely unlikely unless you were possibly a State level target in which case you wouldn't be here looking for help. So, let's rule those out as an issue and look at other things more likely and in the realm of reality.

 

1. Why are you using RAID?
2. Is it Hardware based or Software based?
 

There are reasons to run RAID at home but as I think you're finding out there are also severe drawbacks. RAID can run disk based IO tasks much faster than single drive. It can also recover (if implemented correctly) from a failed or failing drive from the volume thus preventing data loss due to a drive failure.
That is the good part. The bad part is that anytime something breaks that has to do with drive geometry, or firmware, hardware settings it can be extremely difficult to impossible to recover data. Unless you have a high level of experience with setting up and recovering from various issues then using RAID at home would not be something I would not recommend. Keeping your data safely backed up at all times is the key to surviving hardware, software, or other threats to your data.

There are some bootkit, MBR (master boot record) infections, some just rewrite it, some delete it, and some encrypt it. If you were using a single disk (non RAID) you could probably do at least some data recovery as long as there was no physical hardware failure going on. In your case though by using RAID it makes any type of recovery aside from hardware failure much more difficult.

Before we go on to try and fix your system please answer my questions about your setup and use of RAID. In many cases unless this is setup in hardware then booting to a CD/DVD/USB media will not recognize the hard drive as a valid medium to mount and use.

Thank you

 

Hi there. Thanks for the reply. 
 

My desktop pc BIOS date is quite old. Maybe 2010 ish? I’ll check. The MB is a gigabyte z77x-up7 so it’s around 8 years old maybe. 
 

I setup the RAID 0 for performance years and years ago when I young and naive and just wanted performance. So that not a good part as it’s not the best for redundancy (if any at all!)

when you say is it software based or hardware based are you referring to the RAID? it runs on a separate (old and not updated) Marvell chipset which I have no idea how I got to run on windows 10 - I just remember it was A Very fiddly job to get it working when I upgraded to windows 10  

The RAID files and OS acronis Image are backed up to my NAS  but that’s been unplugged and powered down since this started, so the NAS May be compromised too  I guess I will find out if I am going to loose all my precious data in the very near future. My Samsung SSD runs (ran) the OS btw - just re-read your post and I think (forgive me if Im wrong) that you think my RAID is my only disk setup? 

i should have the KS disc by tomorrow,  my friend is helping out by burning the rescue discs for me  

Today I was doing some tests. I removed all devices bar the dvd drive, and hot plugged an old western digital hdd with  vista on it  during the mini windows xp boot. The drive looked fine  

I then tried booting vista from the drive and got a blue screen.  I used mini xp again to boot and studied the hdd   The clean partition of Windows had been encrypted and placed offline, but a second partition had been created with a clone of my version of Windows - plus a shocking amount of malware running in the bg. This is how they take over as the user is unaware what’s happened. 
 

I have managed to get a look at the hdd just after it’s been partitioned. what I found has scared me  

the effort these guys have put in has created s highly customised and very vulnerable windows OS. I have been studying the files etc and i am shocked. I will explain in detail if it will help?

I have the files available on both partitions  I’m thinking of taking a copy in case they self destroy after the next windows login 

it’s very late  here now  but please don’t hesitate to ask for anything from the partitions I will try to explain in detail tomorrow what I have seen happening

 

many thanks  

 

 

 

 

 

 

[AdvancedSetup]

My point is that if the data was encrypted then until you detect which actual infection it is there is no way to recover the data. If you have your data backed up as in image that you can mount and extract or copy the data from then my advice would be to just break the RAID volume, pick one of the drives and format it and install Windows again from scratch using one disk only and not using RAID.

You can download and build a Windows 10 USB disk image that can be used to explore the disk if it mounts, but again - it is unlikely that the RAID volume will be recognized and accessible outside of the real Windows installation.

Let me know what direction you'd like to take and I'll try to assist you further.

 

[jpmad4it]

Hi again. My RAID volume didn’t have the windows installation on it. My Samsung SSD was the OS disk (C), and the RAID was a second drive (F)  on the machine for non operating system files - music photos etc. 
 

The operating system image for the SSD is backed up on my NAS box along with the data for the RAID. The RAID data was backed up to the NAS using a synchronous task that ran from windows through mapped drives to folders on the NAS. I’m concerned the NAS drive could very well be infected too. 
 

if there is a way to try and clean the SSD and RAID discs first and see if the infection is completely removed that would be great. And then maybe treat the NAS drive seperatley afterwards? Im worried that the SSD and RAID data may already be unrecoverable and a clean start will be needed, which means turning to the NAS for backups.......but I’m scared to turn the NAS box on and hook it up to any machine on the home network as every drive which has been plugged into my desktop pc seems to get infected via something that is inside the motherboard.

when I plugged in my spare vista drive the other day to try and boot into vista all that was plugged in to the motherboard was the CD drive, memory, psu, usb 3 connector slots. The vista install was compromised - so it suggests this virus is living in either one of those peripheral / internal devices, or the motherboard / BIOS / UEFI Rom? 

it’s a tricky one I will take any advice going forward as I’m stumped 😞

my thoughts are to start via a rescue cd but instructions on how to clean the infection using one without causing further damage (the NAS backup) would be fantastic. 
 

 

 

[AdvancedSetup]

Hello @jpmad4it

Great, that's good. We can treat the NAS RAID device as a separate issue once we get to that point.

You will need a new or formatted USB stick with at least 8GB in size. Then follow the directions from the following topic and download the Windows 10 installation media

https://support.microsoft.com/en-us/help/15088/windows-10-create-installation-media

Burn to your USB thumb drive. Then boot from that thumb drive on the affected computer. Check your computer vendor website for which hot keys or BIOS settings to use. If unsure let me know the name of the computer manufacturer, if laptop or desktop, and model number and I'll check for  you.

Once the computer is booted from the USB stick then start the Command prompt and type in the following and press the Enter key.

 

DISKPART

It will enter in to the diskpart program. Then type in the following

LIST  DISK

That will show which disks are in the computer. In most cases we're going to want to choose disk 0 so type in the following.

SELECT DISK 0

LIST PARTITION

 

Either copy/paste that back to me or take a screenshot or picture with your phone to share.

Thaks

 

[jpmad4it]

Hi there

Please see attached - I had to use my windows 8 boot cd rather than a Windows 10 usb I hope that’s ok  

The photo is just with my SSD plugged in which had windows 10 installed on it. I’m quite sure that I may have wiped this disk along the way by accident and not  :-/